What goes into the cost of an SSL Certificate?

SSL Providers use optimized hardware devices both to protect the private keys upon which the certificates are based and to ensure fast creation of SSL Certificates. Such devices can create approximately 200 Certificates every second. The devices themselves have to be placed in a securelocation (physically). The devices also have to have redundancy and fail over systems built in to ensure smooth operational efficiency. In addition the certificate issuance network the infrastructure is protected by firewalls and Intrusion Prevention Systems, all of which needs to be constantly audited and maintained. The practical cost associated with provision of this infrastructure (Capital investment and running costs) together with the actual cost of issuance i.e. the validation process affects the overall cost of the certificate. The cost of the validation process will vary most depending on the methodology used by the CA for validation.

Comodo entered the market in May 2002 and established new ground when validating applications. Whilst the trust-related benefits of traditional validation still take place, the use of IdAuthority allows Comodo to expedite applications far faster. The result is strong validation, fast issuance speed, and the low cost of validation are passed onto the customers.

Why are there significant price differences among Certificate Authorities?

The SSL Certificate market was traditionally dominated by a small number of players, namely VeriSign and Thawte. Whilst in a monopolistic position they had the capability of charging inflated prices for a commodity product. However new providers with no necessity to hold prices high were able to offer SSL certificates at far more reasonable prices.

No in the case of High Assurance SSL Certificate providers as the certificates are technically identical and therefore prices can be directly compared*.

*noting the lower browser compatibility issue that affects some suppliers.

Yes in the case of Low Assurance providers who only validate domain name ownership. By not validating the applicant as a legitimate legal entity, consumers have no means to verify who it is they are communicating with. - The pitfalls are detailed here